{"id":"CVE-2016-8677","details":"The AcquireQuantumPixels function in MagickCore/quantum.c in ImageMagick before 7.0.3-1 allows remote attackers to have unspecified impact via a crafted image file, which triggers a memory allocation failure.","modified":"2026-04-16T06:22:18.183426561Z","published":"2017-02-15T21:59:00.417Z","related":["SUSE-SU-2016:2667-1"],"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2016-10/msg00107.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3726"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/93598"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/10/16/1"},{"type":"FIX","url":"https://blogs.gentoo.org/ago/2016/10/07/imagemagick-memory-allocate-failure-in-acquirequantumpixels-quantum-c/"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1385698"},{"type":"FIX","url":"https://github.com/ImageMagick/ImageMagick/commit/6e48aa92ff4e6e95424300ecd52a9ea453c19c60"},{"type":"FIX","url":"https://github.com/ImageMagick/ImageMagick/issues/268"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/imagemagick/imagemagick","events":[{"introduced":"0"},{"fixed":"3448b33066a13a5d51dce90ffd083a6106f43e40"},{"fixed":"6e48aa92ff4e6e95424300ecd52a9ea453c19c60"}],"database_specific":{"versions":[{"introduced":"7.0.0-0"},{"fixed":"7.0.3-1"}]}},{"type":"GIT","repo":"https://github.com/imagemagick/imagemagick6","events":[{"introduced":"0"},{"fixed":"01023fb3baf01873fbea7633772b6fb91f225c47"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.9.5-10"}]}}],"versions":["6.9.4-0","6.9.4-1","6.9.4-10","6.9.4-2","6.9.4-3","6.9.4-4","6.9.4-5","6.9.4-6","6.9.4-7","6.9.4-8","6.9.4-9","6.9.5-0","6.9.5-1","6.9.5-2","6.9.5-3","6.9.5-4","6.9.5-5","6.9.5-6","6.9.5-7","6.9.5-8","6.9.5-9","7.0.1-0","7.0.1-1","7.0.1-10","7.0.1-2","7.0.1-3","7.0.1-4","7.0.1-5","7.0.1-6","7.0.1-7","7.0.1-8","7.0.1-9","7.0.2-0","7.0.2-1","7.0.2-10","7.0.2-2","7.0.2-3","7.0.2-4","7.0.2-5","7.0.2-6","7.0.2-7","7.0.2-8","7.0.2-9","7.0.3-0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T05:00:58Z","vanir_signatures":[{"signature_version":"v1","signature_type":"Function","digest":{"function_hash":"314098718556698236916120566738345882805","length":23909},"deprecated":false,"id":"CVE-2016-8677-0da7aee0","target":{"file":"coders/tiff.c","function":"ReadTIFFImage"},"source":"https://github.com/imagemagick/imagemagick/commit/6e48aa92ff4e6e95424300ecd52a9ea453c19c60"},{"signature_type":"Line","target":{"file":"coders/tiff.c"},"digest":{"threshold":0.9,"line_hashes":["84680550373460952967099519825603418337","5694236062098787834015223150915129968","203684681586396218956605010586970015984","136308293311900644223628169018993493153","212293181800691785399778873439168583892","117625851565268762256032665930213058059","63387297301128800594111852883308614370","64237483046648517302571804038657046306","327173560626947650014968080789957446701","149835417969605540960619774812931536868","127654393936397486004808695961252400190","192415517286728715622219245581705639053","214546403752011330371960926060826336990","58889587738849316251409381010128459186","160222791427931123027126296694475713912","169474085817719072873815039033303702345","284539390574766893781809129560271625472","233029818438904956730455052894989883866","202196976226799102067167165978283017242","267749070219250420150478545265082655094","248607658077159729307410718908149640213","249247416675250214269085545857358723936","273814999180782611165639836908771254456","271617461936264862672065786749894266553","204436451440224515784871806493617889661","313279751877916181029043117846131851987","264805564078992110163849040056508415075","172316565097788793979161793865217698627","193310051179106649345917450386236247908","140540914708916104648312694127933716633","156945084809396598085885764515994736428","166845043545129985473787791553871437895","16005707821783007815482866254495297126","39302910621898167293865526273311332327","241577464073818297510806051668099941672","38473046979376417360575324375761338955","155492289074677077727117169812524273798","282759871485871863214594353204549806082","66537569222379625526399404618003084298","125945275722066533530807175180298625545","261248131108888352273185049856254184370","17367139534308880748090772877723039784","172331346000726819592119424659079977650","111197687932521447091929246084475902238","153688969893109520637594924383060384554","303395098964902221509077126705156501391","24816265860343153023381369328819519421","319304627345980606428549884803606956378","90235304969149781427474948990014978503","23921849587698291915337337208408547596","192662667074854185575001812975185992392","16826914779039701165453906990506710383","299184792958378065514057238251404410335","338945470265633805431696589549251346930","9442675838061099327519473990157536235","175182537595757964093126165689560553669","57117846493309979030431009577131859049","14619407287723327699511457680728069262","230641358031340643500600545406636633871","30693171843785195148055974885065276595","217351322143011228484939831065784661491","213189864478481014328703349322692322763","18739061020690093626427155769453895173","38251911347365999146501275615384094761","170553469328757332024148515732352053558","95452437148455091660862705130467366996","184279666162704995449629417272562821124","133218215061000229514811930481186953303","221605472236257057980001368241814973503","186012498768983050533377145133846134047","132486793355941607619295069393194344464","275765658176708660247917740740722594405","68443326878228420143786246570014742837","1435186687587740812024418690743498373","36401906500132960962132200044489311043","203576880230237415715077829278404064328","188454350211119284868934591850152046112","39318539511691955881565344225750008898","145003536360479170562741536352936209369"]},"deprecated":false,"id":"CVE-2016-8677-4b9e730f","source":"https://github.com/imagemagick/imagemagick/commit/6e48aa92ff4e6e95424300ecd52a9ea453c19c60","signature_version":"v1"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"13.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-8677.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}